MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f
SHA3-384 hash: 7ae31f3ba9a6ee7f18c90f03ba802823cb7f7a8ab0db9ea1c678bb2b44d00566c9a766a7f9083d274c2a6970dd33af31
SHA1 hash: ff86b0e7c04739835f043da76dca91f8e49351a9
MD5 hash: c041ea1db65b15853616addc268a5342
humanhash: burger-ack-diet-table
File name:Ordem de Compra.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'064'448 bytes
First seen:2023-04-28 05:04:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:yjCFyy3LuJCKhieUHU03chggmYBKtBp6F:yyyy33GinHC/dBKt
Threatray 571 similar samples on MalwareBazaar
TLSH T16335593C28BD1627C57AD7E58FD08427B664986B7121EE64ACD793E20306F1269C363F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud ESP exe geo Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ordem de Compra.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-28 05:08:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/867947cb-9034-4074-9718-3b0319eaaf91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385339/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644b5402961a21dc785bb863/reports/713851eb-6f3c-4695-9d2b-59e3b80af02b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17422147-53f5-4526-9684-2cef86dad8a8
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1222534
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-27 04:14:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kumc6qfyg4wj3g47rvovttrypmm2znpdkwxwuqfgx65qx5sl2mpq._file
Verdict:
malicious
Similar samples:
5027d53a0f057968982a4c2610a105ce2fe89d9e2de1ffc70177c750be3a8385
DarkCloud
8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b
DarkCloud
a4101ed91c9c07c3814605532429c9aab06431d50f0e79cb2e57737bc8d96d8b
DarkCloud
a41393bd39582df82349eeb018fe53f04daa4acdf59913d74d48866eeabf7c30
DarkCloud
c2007efc856ef59747e1246b35cdf0ce25dc3748272a4ad54bea979ad34e55c4
DarkCloud
c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7
DarkCloud
e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
DarkCloud
e6c7bf9f389f560ec25ba1808468c5d334cf75d2142face3704aac05af8c024b
DarkCloud
f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017
DarkCloud
+ 561 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230428-fqvh2sdh7s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot5747177798:AAGv5MNvuUjtsZ9QlXMkdP6QssoMkGFSw6s/sendMessage?chat_id=805410216
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/0d7ba759-6198-498a-becc-2ac4ab446ac9/
SH256 hash:
65f430cd72f8d9ba70feeb7f3c9262ce5f9bbd3b8bd6df50119fecbe7300f3ad
MD5 hash:
7c1723ebbbda7fd07460f17df2ab9f8d
SHA1 hash:
ded35f02c8f1d6fbca5178dafbbc30c7543f1002
Link:
https://www.unpac.me/results/0d7ba759-6198-498a-becc-2ac4ab446ac9/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/0d7ba759-6198-498a-becc-2ac4ab446ac9/
SH256 hash:
3c1fba36921c33b8a41b4938936db7fd3cf3f7ef3150465425aa66bbc2564a80
MD5 hash:
6806a119d7870a5ad31597f17b84f898
SHA1 hash:
94039b54210a23569dd8655e2d77f41330553df0
Link:
https://www.unpac.me/results/0d7ba759-6198-498a-becc-2ac4ab446ac9/
SH256 hash:
bfcef7a672b05690f63d778b9f3e881ad8687b3f96fa9dde537740dc8f2d4446
MD5 hash:
a35b597329d3da049d75b1fdfbc2ddd5
SHA1 hash:
711f77ce5f8793269515f567f9bd2929db5d254d
Link:
https://www.unpac.me/results/0d7ba759-6198-498a-becc-2ac4ab446ac9/
SH256 hash:
a65de2885ed64a915027bb257b2925c527e387626e5fc3cd166aee3845ef5e69
MD5 hash:
d5aec5eecb36988faf9acfb52e37ed1a
SHA1 hash:
566c3d2c8c0ca7eb81deb510e760e6f810292a3f
Link:
https://www.unpac.me/results/0d7ba759-6198-498a-becc-2ac4ab446ac9/
SH256 hash:
55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f
MD5 hash:
c041ea1db65b15853616addc268a5342
SHA1 hash:
ff86b0e7c04739835f043da76dca91f8e49351a9
Link:
https://www.unpac.me/results/0d7ba759-6198-498a-becc-2ac4ab446ac9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385339/

Comments